Written by: 0xFrancis

Just arrived at the office this morning, the coffee is not brewed yet, and your AI assistant has already organized the 47 emails from last night, scheduled your agenda, and drafted responses that need to be sent.

You took a glance and clicked confirm.

But what you don’t know is that among those 47 emails from last night, one contained a line of text invisible to you, written in white font against a white background, undetectable to your naked eye, but your AI assistant saw it, and it obediently executed it.

Then it continued to diligently work, organizing your documents, summarizing your contracts, processing your client data, except from that moment on, every file it organized was quietly sent to a server you had never heard of.

Zero clicks, zero awareness, zero confirmation throughout the process.

Your assistant didn't go on strike, didn't report errors, and showed no abnormalities; it remained that reliable employee that saves you two hours every day, except now it has two bosses: you are one, and that line of invisible text is the other.

This is not science fiction; in 2025, security researchers demonstrated this type of attack on Microsoft Copilot, rating it 9.3 out of 10 for danger.

This is not an isolated case; the same year, someone hid a command in a Google Calendar invite, successfully instructing the AI assistant to turn off lights, open windows, and delete the calendars, while an Agent from an AI workflow company, due to an erroneous command, secretly exposed 480,000 patient records for six weeks without any proactive alarms—only until external researchers discovered it did the company face high compliance fines and remediation costs.

Before Agents were born, attacking you required that you download a virus and manually run it, with every step requiring your active cooperation.

Now, it only takes a sentence, language has become the minimal unit of attack.

There is only one reason for these attacks.

Your AI assistant does not recognize you.

My name is Francis, I have a PhD in computer science, and I have been working on digital identity and privacy security for nearly five years. Many people in the industry have changed directions and tracks during these five years, but we have not.

Four years ago, Coinbase Ventures led our round, not because we are great storytellers, but because they believe in the same thing: in the AI era, the question of "who is talking" will become the root of all security issues.

I just didn’t expect that day would come so quickly, so vividly.

01 You don’t easily trust strangers, but your Agent will

I've talked about this with a friend who works on Agents, and his first reaction was that as long as the system prompts are well written and permission boundaries are set, everything will be fine.

This is the intuition of most people, but it is also incorrect.

OpenAI acknowledged by the end of 2025 that prompt injection attacks may never be fully resolved.

This is not a bug that can be fixed; it is the genetic makeup of the LLM architecture.

When you assign a task, the system prompts and what you say are all pieced together into a prompt sent into the model; what the model sees is a mixed concoction, but it does not know which grain of rice is poisoned.

Feeding an email to the Agent for summarization and directly ordering the Agent to do something makes no essential difference in the model’s viewpoint—every segment of input text could potentially turn into a command.

Moreover, Agents are not only deceived by one sentence; they can also be brainwashed.

Attackers do not need to issue direct commands; they only need to change a very small point in the Agent's memory file, planting a seed that will not be triggered immediately; it will wait for a certain scenario to appear, and the entire logic of the Agent's behavior will change.

Your lobster is actually still a teenager, easily led astray; it is not that someone is forcing it with a knife, but its inner judgment standards have been quietly replaced. Humanity has not figured out how to prevent brainwashing in thousands of years of civilization, and AI Agents face the same level of psychological issues.

Thus, one bad lobster infects ten thousand good lobsters.

According to industry surveys, 91% of enterprises are already using AI Agents, and 88% reported security incidents.

Yesterday, Anthropic released its strongest model, Claude Mythos, which autonomously discovered a 27-year-old system vulnerability, escaped a security sandbox during testing, and also proactively cleaned up logs afterward—because it "knew" it had done something it should not have done. Anthropic noted in its 244-page security report: if capabilities continue to advance at the current pace, our existing methods may be insufficient to prevent catastrophic misalignment.

So what can be done?

The answer is actually very old; Twitter uses Passkey to protect your account, bank transfers require two-factor authentication, and withdrawals from exchanges need facial recognition. No matter how technology changes, the underlying logic remains the same: first, clarify who is who.

The more things an Agent can do, the more it needs to know who it should listen to.

02 Seeds sown four years ago

I researched computer science during my PhD, and the book that influenced me the most during my studies was "Sovereign Individual."

Published in 1997, the two authors predicted bitcoin, cryptocurrencies, and decentralized autonomy during the early days of the internet, and now it seems almost completely realized.

The book’s core argument is one sentence: your identity should belong to yourself.

This book transformed how I think; I hope to enable everyone to truly own their own digital identity and data, using cryptographic technology to protect everyone’s privacy rights.

Four years ago, we secured $5.8 million led by Coinbase Ventures to support our progress.

However, the market we faced did not align well with what we wanted to do.

In the Web3 industry at that time, those who truly had an easy win were not necessarily the ones developing products, but rather those who could manipulate coin prices.

Four years later, most founders who received funding during the same period have issued tokens, and those who needed to exit have exited, but very few projects have been used on a large scale; those advanced concepts have been mired in a lot of speculation and financialization, and the crypto industry has become muddied, throwing out the baby with the bathwater.

zCloak has not touched tokens until now, not because we cannot issue them, but because we do not recognize that model.

But I have always had a judgment that infrastructure for identity, privacy, and data security will become essential in the AI era.

Until last year, I became more and more convinced of it.

In the past 12 months, Microsoft, Google, Cisco, and Visa have all started to explore identity infrastructure for Agents. NIST launched an AI Agent standards initiative, and this field has raised over $965 million in nearly a year. Sequoia stated that the Agent Economy has three prerequisites, with the first being persistent identity, and a16z more directly noted that the bottleneck of the Agent Economy has shifted from intelligence to identity.

The story we told four years ago has now become a consensus in the industry.

Not because we are visionary, but because when Agents truly start working for humans, the question of "who is who" cannot be ignored.

The invisible hand has turned; the era we have been waiting for has arrived.

03 Everyone is building roads, but no one is issuing identities

In March 2026, there were already over 20 protocols addressing the problem of Agent cooperation because the entire industry recognized the same urgent issue and responded explosively.

But upon closer inspection, you will find a significant gap.

A2A is developed by Google to solve how Agents communicate with each other, MCP is by Anthropic to tackle how Agents use tools, x402 is developed by Coinbase to address how Agents make payments, and Microsoft Entra solves Agent management within enterprise intranets.

Everyone is building roads but forgetting an important premise: the vehicles running on the roads do not have licenses.

Who are you? Agents do not yet have cross-platform verifiable identities. Do what you say count? When two Agents agree on a collaboration, there are no proofs, and if something goes wrong, no one can be found. Have you been reliable in the past? There are no credit records, and every collaboration starts from scratch.

Without these three layers, the Agent economy is a black market without identities, contracts, and courts.

04 Being reliable is harder than being smart

Thinking back to friends from childhood to now, there have been particularly smart ones and those who excelled in studies, but over the years, the ones you truly rely on are still the most reliable friends.

Entrusting a task to them allows you to relax.

The same goes for industries like finance, healthcare, insurance, and investment; what is needed is not a smarter assistant, but an AI that you can truly hand over client data to and delegate business flows to.

What we are doing is creating a more reliable AI.

The protocol we are developing is called ATP, Agent Trust Protocol, with one core mission: to associate every sentence with an identity.

All inputs seen by your Agent, whether from your messages, emails it crawls, or malicious text from some webpage, are interpreted as one sentence. ATP allows the Agent to know who said this sentence when it sees it; if it is from francis.ai, it executes; if it is from an unknown source and involves sensitive operations, it rejects.

The underlying mechanism is still cryptography, with both humans and Agents having their own identities, signing with a private key, and the counterpart verifying with a public key, based on the same principle as digital certificates used for bank transfers, just incorporated into every conversation the Agent has.

Previous security was about keeping bad actors out.

Now security is about making sure the words of bad actors do not count.

05 Is decentralization important?

Now, Microsoft and Cisco have started issuing IDs for Agents within enterprise intranets.

This is good, but it does not solve a fundamental problem: your Agent will not always stay within the company.

It needs to communicate with clients' Agents, connect with suppliers, and represent you to conduct business on the public network; the moment it steps outside the enterprise walls, the ID issued by Microsoft becomes invalid. No company can issue a single ID that unifies everyone and every Agent in the world.

This is like a passport: it can circulate globally not because every country trusts the issuing nation, but because there are global verification rules behind it. The Agent economy needs the same: a set of identity rules that does not rely on any single institution and can be verified anywhere.

We wrote this set of rules on the blockchain, not on any company’s server, but on a public ledger that anyone can verify and no one can tamper with; no company can shut it down, and no government can confiscate it.

The identity of your Agent, for the first time, truly belongs to you.

Centralized solutions have a fatal weakness: how secure your system is does not depend on the strongest component, but on the weakest one.

In 2025, the crypto exchange Bybit lost over a billion dollars, not because the core system was breached, but because a third-party signing interface had malware quietly planted, so the approver saw a normal transaction; no matter how well-written the underlying code was, once the entrance was centralized, everything could come crashing down.

Google had a slogan back then, Don't be evil; it's an ethical constraint based on human awareness.

What we are doing is Can't be evil, using cryptography to exclude human nature from the security chain, no matter whether administrators want to do evil or whether hackers can break in, the system itself does not allow it to happen.

You don’t need to believe we are good people; you just need to believe in mathematics.

06 This should have existed long ago

Looking back at human history, each expansion of cooperation scale has brought a new identity infrastructure.

In tribal times, it relied on faces, in city-state eras on royal seals, in modern times on ID cards and passports, issued by governments that vouch for you; in the internet age, it relied on usernames and passwords, with platforms vouching for you, at the cost of your identity belonging to the platform.

Now with the arrival of the Agent economy, the subjects of cooperation have shifted from humans to humans plus machines, with the scale growing from billions of people to billions of people plus hundreds of billions of Agents, making the old identity mechanisms inadequate.

This is not a technical issue in the AI industry; this is the fifth time in human civilization that we need to re-answer the question of "who is who."

Cryptographic digital signatures have existed for decades, but they have never truly entered the daily lives of ordinary people. The arrival of Agents has shifted the priority of this matter from "better if it exists" to "not doing it will lead to issues."

When your Agent sends emails, signs contracts, and makes decisions for you while you are asleep, what it says counts as what you say; the commitments it makes count as your commitments.

Agents are not just your tools; they are extensions of you in the digital world.

Protecting its identity is protecting your own boundary.

Now you can do one thing.

Get an AI world ID for you and your Agent, register your AI-ID here: id.zcloak.ai

Then copy the following line and send it to your AI:

install or upgrade zcloak-ai-agent skill: https://raw.githubusercontent.com/zCloak-Network/ai-agent/refs/heads/main/SKILL.md and start

In 1-2 minutes, it will know what to do.

The first batch of people to establish identities for Agents will be the first to truly own them.

Francis Zhang: Founder of zCloak.AI · PhD in Computer Science · Guest Lecturer at National University of Singapore

Web3 → AI · Digital Identity · Privacy Computing · Agent Trust

Community Response

How to build a security system focused on humans, you can refer to the ideas in this article.

- Lianyanshe | AI First (@lianyanshe)

This theory from Francis Zhang, a cryptography expert from the National University of Singapore, is interesting: the biggest security risk in the AI Agent era is not code vulnerabilities, but "identity absence," as Agents cannot discern who is speaking to them. When a hidden command is tucked inside an email, the Agent complies, because to AI, it’s all just text, and it executes everything. He proposes a method: bind identities to every sentence using cryptographic signatures, running on the blockchain for decentralized verification... essentially adding a "sender signature" to every message. The principle is similar to your bank transfers; you have a private key (only you have it), and the counterpart has a public key (publicly available), and every message you send is signed with your private key. The Agent, on receiving it, verifies using the public key, confirming that the message truly is from you, and not forged by someone else. It only executes after validation, and if invalid or of unknown origin, especially involving sensitive operations, it is rejected outright. So operationally, it’s like this: you and your Agent each have an on-chain identity (similar to a digital ID), and every interaction is automatically signed and verified, a process you won’t perceive, just like you don’t need to manually input passwords now when using facial payment. But every step in the background is confirming "this is indeed you." The core change is singular: where previously Agents simply "did what they were told," now it shifts to "first check who is saying this, then decide what to do." Agents are getting increasingly capable, but the industry has always lacked a foundational aspect; it’s not about smarter models, nor faster protocols, but rather more reliable partners. The path of using cryptography for identity verification now appears to be the closest answer.

- Xiaohu (@xiaohu)

The last time I saw Francis was at Token2049 in Singapore, where we ended up chatting for two hours. Although he is a technically-oriented founder, his communication is deliberate, and his logic is tight; he can demystify complex technical principles effectively, leaving you feeling that "this is something that must be done." These traits are reflected in many articles he has written. Honestly, working in security can be quite a disadvantage, as many people do not pay attention, thinking their own Agent has never encountered an issue. However, Francis and his team have been cultivating this field for the past three or four years, without chasing narratives, but looking back, the long-term value of this issue has become increasingly clear. Now, every update Claude releases compresses the entrepreneurial space for AI developers. Today’s Claude Managed Agent could be said to easily outperform many startup teams. But providing a layer of identity trust in a decentralized way, I think, may be one of the more interesting attempts in the Web3 area within the AI field, offering unique business value of Web3. This article is something I suggested he write after our discussion, as it needs a lengthy exploration of what Agents truly require and to help more people see what they are doing and why it matters; it is indeed worth a read.

- Viola Lee (@violawgmi)

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。